about keeping a checksums table in a separate file

René J.V. Bertin rjvbertin at gmail.com
Tue Feb 2 01:32:23 PST 2016

On Monday February 01 2016 21:09:24 René J.V. Bertin wrote:

Actually I think I should have raised a question as soon as the topic of implementing an auto-updating scheme came up:

How important is the whole checksumming feature really? We're talking here about source archives that already have a form in built-in checksum, plus an external check. Anything goes wrong during transmission (fetch), and the archive is very likely not to unpack successfully. Significant malicious changes to the code (supposing there are real odds for that) could lead to the (MacPorts) build or destroot failing.
The transmission/unpack argument applies to binary build tarballs too ... and if a hacker would ever be interested to introduce something into one of those tarballs he'd surely update the online checksum too (supposing there is a checksumming feature).

I'm not saying that checksumming is without interest for all ports (it's probably justified for security-related ports like openssl and family), but it's probably not much more than a maintenance hurdle for the vast majority of ports. And you do have to wait for it for biggies like Qt5.

Is there a single example where the checksum feature paid off and averted disaster?

BTW: shouldn't the checksum phase ask the user if the incriminated distfile must be removed (so that it'll be fetched again at a future attempt, hopefully without transmission errors that time)?


More information about the macports-dev mailing list